Differences Between an RODC and a Writable Domain Controller

Updated: April 26, 2012

Applies To: Windows Server 2008, Windows Server 2012

As an additional domain controller for a domain, a read-only domain controller (RODC) performs the same operations as a writable domain controller. For example, because an RODC contains a copy of the directory database and a copy of the SYSVOL folder that contains the Group Policy objects (GPOs) and logon scripts for client computers, it can respond to authentication requests just as a writable domain controller does. However, there are a number of differences between an RODC and a writable domain controller. The following table lists the important differences in the characteristics of an RODC and a writable domain controller.

Characteristic

RODC

Writable domain controller

Active Directory database access

The database on an RODC is read only. Applications can only read data from the directory when they target an RODC; they cannot write data in the directory. However, RODCs automatically forward certain write operations to writable domain controllers, and they can send referrals to writable domain controllers when necessary.

All read and write operations are possible on a writable domain controller.

Data replication between domain controllers

An RODC only replicates data from a writable domain controller, and it never replicates data to another domain controller in the domain. This is true for both the Active Directory data and the SYSVOL data.

Writable domain controllers replicate any changes that occur elsewhere in the domain from other writable domain controllers, and they replicate data that was written to their database to other domain controllers.

Data that is stored in the database

RODCs contain a complete copy of the database, with the exception of credentials and other credential-like attributes that are part of the RODC filtered attributes set (FAS).

However, you can select which credentials can be cached on the RODC to provide better authentication performance for users who are located in a site that an RODC services.

Writable domain controllers contain a complete copy of the directory database, including credentials for all accounts.

Administration

RODCs can be administered by delegated users that do not have any domain privileges beyond standard domain users. Administration operations include applying hotfixes and software updates, performing offline defragmentation and backups, and so on.